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Abstract 



(TS//SE//REL) The goal of forward-based defense is to detect and mitigate malicious 
threats in real-time, as dose to the source as possible , It is part of a layered defense 
strategy with four concentric zones: endpoint-, perimeter-, aggregation-, and forward- 
based defenses. The QUANTUMTHEORY mission leverages NSA s vast system of 
distributed passive sensors to detect target traffic and tip a centralized 
command/control node. This node assesses the tip and injects a response towards the 
target using active TAO assets, 

(TS//SI//REL) Extremely powerful CNE/CND/CNA network effects are enabled by 
integrating our passive and active systems: 

resetting connections 
redirecting targets for exploitation 
1 taking control of IRC bots 
corrupting file uploads/downloads 
= More! 

(TS//SI//REL) The success rate of these effects is largely determined by the latency 
from tip-to-target. OFIRE is a consolidated QUANTUMTHEORY platform under 
development that reduces latencies by codocating (I) existing passive sensors with (2) 
local decision resolution, and (3) the ability to locally inject traffic to achieve the 
desired network effect. 






Topics 



^ Layered Defense Model 
NSA TURBULENCE Architecture 
^ TURMOIL passive SIGINT sensors 
^TURBINE active SIGINT command/control 
QUANTUMTHEORY 

^ Integrating passive/active systems for 
CNE/CND/CNA 

^ QFIRE 

- Consolidated low-latency QUANTUMTHEORY 
capability under development for forward-based 
defense 
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(S//SI//REL) High-speed passive collection 
systems intercept foreign target satellite, microwave, 
and cable communications as they transit the qlobe. 
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TURBINE: Active Mission Management 
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(TS//SI//REL) TURBINE provides 
centralized automated command/control 
of a large network of active implants 



Accesses 
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QUANTUMTHEORY 



(T5//S1//REL) Extremely powerful CNE/CND/CNA network 
effects are enabled by integrating our passive and active systems: 



Resetting connections { QUANTUMSKY ) 

Redirecting targets for exploitation (QUANTUMINSERT) 



* Taking control of IRC tots (QUANTUMBOT) 

1 Corrupting file uploads/downloads (QUANTUMCOPPER) 



(TS//SI//REL) QUANTUMTHEORY dynamically injects packets into a 
target's network session to achieve CNE/CND/CNA network effects. 

Dete ct: TURMOIL passive sensors detect target traffic & tip TURBINE command/control. 
=• Decide : TURBINE mission logic constructs response & forwards to TAO node. 

=» Inject : TAO node injects response onto Internet towards target. 



(TS//SI//REL) The propagation delay from tip-to-target determines the 
success rate of the network effect. Less Latency = More Success! 



QFIRE: Consolidate for 




antic/Pacific latency 



" QUANTUMTHEORY Path: site ° NSAW-TURBINE ° target 



(TS//SI//REL) QFIRE collocates at site: sensor, decision logic, and 
locai/regional injection capability to achieve low latency. 

" Use existing SfGINT sensors for alerting 
=* Local decision resolution (local TURBINE) 

" Local/regional injection capability 
^ QFIRE Path: site ° target 

(TS//SI//REL) A low latency capability substantially increases the 
variety of achievable CNE/CND/CNA network effects and improves 
their overall effectiveness. 




QFIRE/Forward-Based 

Defense: 




encies 

Conduct time trials & evaluate operational effectiveness 



^ Develop/depioy QFIRE for high-speed SSO cable site(s) 
Dependencies 

5=5 Grow regional shooter infrastructure {more Points-of-Presence) 

Develop local/regional insertion capability at SSO cable accesses 

" Enhance cloud analytics and QUANTUM missions 
" Botnet mitigation pitot effort 
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QF1RE @ SCS: 
Physical/Virtual 
Network 
Architecture 
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HTTP Web Client/Server 



Client initiates request, then server replies 
=> TCP socket: 

=■ Client: TCP SYN 
- Server: TCP SYN/ACK 
= HTTP 1.1 Persistent Connection 
=> Client: HTTP GET1 
=• Server: HTTP Responsel 

=- Client: HTTP GET2 
= Server: HTTP Response2 
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QUANTUM INSERT: racing 
tto&a&e rver 

=* Wait for client to initiate new connection 
=* Observe server-to-client TCP SYN/ACK 
^ Shoot! (HTTP Payload) 

=* Hop e to beat server-to-client HTTP Response 

The Challenge: 

=■ Can only win the race on some links/targets 
=* For many links/targets: too slow to win the race! 
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QUANTUMTHEORY 
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^Timing Measurements, QUANTUMTHEORY Workshop, October 2010 





